Subprocessor List
Last updated: [Effective Date]
This page lists the third-party service providers ("subprocessors") that CloudLine engages to deliver the Service. Each one is bound by a data processing agreement (DPA) under GDPR Article 28 and processes personal data only on our documented instructions.
We maintain this list as part of our commitment to GDPR transparency (Art. 28 + Art. 30) and to keep you informed about who handles your data on our behalf.
1. Notification of new subprocessors
We will notify paying subscribers by email at least 30 days before adding any new subprocessor that will process personal data. The notice will identify the provider, its location, and the purpose of processing.
You may object within the notice period — see §3.
2. Current subprocessors
2.1 Infrastructure
| Subprocessor | Purpose | Location | Reference |
|---|---|---|---|
| Cloudflare, Inc. | Compute (Workers), database (D1), object storage (R2 — user avatars), Durable Objects (per-bot monitor + per-user notification hub), rate limiting, DDoS protection, TLS termination, Turnstile bot/abuse protection, and Workers AI (documentation chat) | Global edge; primary region: Europe (EEUR) | Privacy · DPA |
2.2 Payments
| Subprocessor | Purpose | Location | Reference |
|---|---|---|---|
| Paddle.com Market Ltd | Payment processing as Merchant of Record — subscription billing, tax calculation and remittance, invoicing, refunds, chargeback handling | United Kingdom | Privacy · DPA |
2.3 Email
| Subprocessor | Purpose | Location | Reference |
|---|---|---|---|
| Resend, Inc. | Transactional email delivery (alert notifications, account-event emails, security notices) | United States | Privacy · DPA |
2.4 Authentication (user-initiated)
You sign in to CloudLine via OAuth. Only the provider you choose receives sign-in data — none of these are mandatory, and your account is bound to whichever provider(s) you connect.
| Subprocessor | Purpose | Location | Reference |
|---|---|---|---|
| Discord, Inc. | OAuth identity provider (used if you sign in with Discord) | United States | Privacy |
| Google LLC | OAuth identity provider (used if you sign in with Google) | United States | Privacy |
| GitHub, Inc. | OAuth identity provider (used if you sign in with GitHub) | United States | Privacy |
3. International transfers
Several subprocessors above operate from outside the European Economic Area (EEA). For transfers to such providers we rely on appropriate GDPR safeguards — typically the EU-US Data Privacy Framework (Commission Decision 2023/1795) where the recipient is certified, or Standard Contractual Clauses (Commission Decision 2021/914, Module 2) where not.
See the Privacy Policy §7 for the full transfer-safeguard analysis.
4. Objecting to a new subprocessor
If we add a new subprocessor that will process personal data, we will notify paying subscribers in advance as described in §1. You may object by emailing [hello@cloudline.app] within 30 days of the notice.
If we cannot reasonably accommodate your objection — for example, because the subprocessor is essential to providing the Service — you may terminate the affected subscription and receive a pro-rated refund of pre-paid fees attributable to the unused period.
5. Changes to this list
This page reflects our current subprocessor arrangements. The Last updated date at the top of this page is bumped whenever the list changes. Material changes also trigger the notification flow described in §1.
For full data-processing details, see the Privacy Policy. For contract terms, see the Terms of Service.